Web Application Security Forum - SPAM

Found some spammer files on my web server (no replies)

Royal2000H — Tue, 02 Oct 2012 17:05:54 -0500

I've been getting some failed mail delivery reports at my catch-all email address on my server. Finding this weird, I had a feeling there was spam coming out of it.

Connecting through FTP, I found some definitely odd files.

1. A file violin.php which let the spammers send mail out of my server and domain through POST parameters.

2. Three obscure, randomly named html files which were empty except for small obfuscated javascript that redirected to spam/adult websites and pop ups.

3. One file in cgi-bin, "mhstchk.cgi" which seems to be the first file they put on the server. It seems to gather information about the server in order for them to decide whether it'll work for their spammer needs. Here's a few lines from the beginning:

my $smtp = 'smtp.yandex.ru';

my $dns = '194.173.175.100';

my $fpart = "hello_my_little_friend._You_have_download_this_page_and_see_this_source.";

my $lpart = "_We_do_not_delete_anything_only_upload_change_your_passwords_and_do_not_say_it_to_anybody";

And then it goes on to print "uname -a", test Perl modules, the SMTP server, some DNS tests, etc.

Now I'm wondering how they got the files on the server. Exploit of apache? Do I need to tell my hosting company to check for cracks in this shared server? Brute forcing my PHP password? Exploit in wordpress?

Anyone see this before?

EDIT: Just found them in my FTP access logs. So did they just brute force my password? It seems there were more files they put in my cgi folder that they since deleted. Also it seems that cgi file was there for a long time.

sending spoof e-mail understanding the dynamic (2 replies)

lazer — Thu, 20 Jan 2011 16:56:48 -0600

hey guys this is what i want to do:-(consider me as newbie to entire spoofing / spamming game)

i'm not at user of site abc.com but what i plan to do is to use the admin mail of abc website (e.g admin@abc.com) and sent a spoof email to person zyz@abc of the same domain.

I want to do this with lowest level of detection possible. Do i have to do an open-relay thing? if yes would it not be detected by mail-server anti-spoofing / black-list filters. How could i avoid my mail ending up at the spam box of my victim machine? if it does well spams gets deleted and bad things happen to it

If there is an command line tool for crafting fake email how could these cli tools provision the user of formatting (e.g insert hyper-link behind text) inserting images/ header and footer. The reason im saying this is coz without such dynamic content it would be impossible in my case to lure the potential victim. I cannot add the url if it has xss signatures in command line it would be so easy to detect?right....

Thank you for reading my message.Please help me find the right path:)

appreciate...

How do I deal with this sort of hacker/spammer? (1 reply)

Captain Xarzu of Alpha Centauri — Mon, 06 Sep 2010 15:32:05 -0500

Some "usermane" is requesting a "username" in my wordpress blog.

I did not expect this to happen with my wordpress blog. I do not know if it is just users stupidity or if it is spammers trying to break into my blog. Either way, it is something that needs fixing. Apparently people are trying to log in without registering.

I have been getting annoying email messages that say essentially:

Quote

SoAndSo (SomeEmail@somewhere.com) has requested a username at MyWebForumAndBlog

h t t p : / / w w w . M y S i t e . c o m

To approve or deny this user access to MyWebForumAndBlog go to...

That is not exactly what it says, but you get the idea. Click here to see an actual message.

So I am guessing that what is happening is that someone just clicks on "log in" and then requests a password instead of clicking on Register. But there are so many of these messages that I have to wonder if this is a spam bot.

On the other hand, the message says it is requesting a username, not a password. So this is some sort of wordpress spam and trick someone is using where they are bypassing the normal login.

And it does not make sense. Think of it. Some "usermane" is requesting a "username". How do they do that?

Which Domain Extension best (2 replies)

reshmaa — Thu, 08 Oct 2009 20:18:48 -0500

I want the solution which is the Best extension to register the Website Domain ..I found the Domain name registration site named as seo://www.tucktail.com/ I want register there my business site's Domain name Which is best extension .ORG or .COM help me please.

Phishing with Non Scriptable User Input (no replies)

Inferno — Mon, 02 Mar 2009 00:05:10 -0600

Some thoughts here http://securethoughts.com/2009/03/phishing-with-non-scriptable-user-input/. You can use this for spams.

Only totally free hosting service. (6 replies)

Anonymous User — Wed, 08 Oct 2008 11:51:03 -0500

Free cPanel Web Hosting with PHP5/Mysql - no advertising!
Register now: http://deleted.stupid.link

We can offer you a free web hosting package packed with advanced features for hosting & building professional dynamic websites. We provide secure free web space with all the web hosting tools you could possibly ever need.

Our package includes:
- 350 MB of Disk Space, 100 GB Bandwidth
- Host your own domain (http://www.yourdomain.com)
- cPanel Powered Hosting (you will love it)
- Over 500 website templates ready to download
- Easy to use website builder
- Free POP3 Email Box with Webmail access
- FTP and Web based File Manager
- PHP, MySQL, Perl, CGI, Ruby.
- And many more..

Click here to visit us: http://deleted.stupid.link

_____________________________________________________________________
PERSONAL / CEAP HOSTING Starts at $3.00/mo Register here https://another.stupid.link.deleted

Manual Spamming Blogs (10 replies)

rsnake — Fri, 17 Oct 2008 14:18:51 -0500

Okay, this is my new favorite thing to hate:

83.26.205.84 - - [18/Jul/2008:05:48:06 -0500] "GET /blog/20070725/res-timing-attack/ HTTP/1.1" 200 14430 "http://www.google.com/search?hl=en&client=firefox-a&channel=s&rls=org.mozilla:pl:official&q=%22leave+a+reply%22&start=80&sa=N" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pl; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14"

The part that's stupid about this is that it's manual. The person really is a real person, but instead of writing a robot like any normal person they are manually writing their comments. I've since changed some of the text on the page to make ha.ckers.org stop showing up in default text search queries like this, but still. So annoying!

New Spam Technique? (9 replies)

inzomiac — Thu, 03 Apr 2008 17:42:31 -0500

Do you know new spammer techniques that is being used now a days? hope you can share them with me since I'm doing a simple research about it.

Thanks

php mailer sender ID test (3 replies)

shad0w7 — Thu, 24 Dec 2009 17:53:56 -0600

Just experimenting with a php mailer I uploaded and I sent a message to my hotmail address with a from address of my choice. It went straight to junk and failed the sender ID test and was marked as "potentially dangerous", even though I just put "test" as subject and message body.Is it possible to get past this,and is it only possible with a massmailer? If so, what smtp server should I use, as all the previous ones I've used with a mailer program keep giving errors.

Dear google (4 replies)

id — Sat, 01 Mar 2008 17:22:57 -0600

Yes, we know you hate us and all...but please don't run mail servers if you can't set them up properly.

Feb 23 00:00:20 mail postfix/smtpd[39402]: NOQUEUE: reject: RCPT from an-out-0708.google.com[209.85.132.250]: 550 5.1.1 : Recipient address rejected: User unknown in virtual mailbox table; from=<> to= proto=ESMTP helo=
Feb 23 00:00:45 mail postfix/smtpd[39403]: NOQUEUE: reject: RCPT from wr-out-0506.google.com[64.233.184.226]: 550 5.1.1 : Recipient address rejected: User unknown in virtual mailbox table; from=<> to= proto=ESMTP helo=
Feb 23 00:01:05 mail postfix/smtpd[38117]: NOQUEUE: reject: RCPT from ug-out-1314.google.com[66.249.92.171]: 550 5.1.1 : Recipient address rejected: User unknown in virtual mailbox table; from=<> to= proto=ESMTP helo=
Feb 23 00:02:08 mail postfix/smtpd[39402]: NOQUEUE: reject: RCPT from hs-out-0708.google.com[64.233.178.240]: 550 5.1.1 : Recipient address rejected: User unknown in virtual mailbox table; from=<> to= proto=ESMTP helo=
Feb 23 00:02:16 mail postfix/smtpd[38115]: NOQUEUE: reject: RCPT from ug-out-1314.google.com[66.249.92.169]: 550 5.1.1 : Recipient address rejected: User unknown in virtual mailbox table; from=<> to= proto=ESMTP helo=
Feb 23 00:02:25 mail postfix/smtpd[39403]: NOQUEUE: reject: RCPT from fg-out-1718.google.com[72.14.220.154]: 550 5.1.1 : Recipient address rejected: User unknown in virtual mailbox table; from=<> to= proto=ESMTP helo=
Feb 23 00:02:31 mail postfix/smtpd[38815]: NOQUEUE: reject: RCPT from py-out-1112.google.com[64.233.166.182]: 550 5.1.1 : Recipient address rejected: User unknown in virtual mailbox table; from=<> to= proto=ESMTP helo=
Feb 23 00:02:54 mail postfix/smtpd[38115]: NOQUEUE: reject: RCPT from ug-out-1314.google.com[66.249.92.172]: 550 5.1.1 : Recipient address rejected: User unknown in virtual mailbox table; from=<> to= proto=ESMTP helo=
Feb 23 00:03:30 mail postfix/smtpd[38115]: NOQUEUE: reject: RCPT from hs-out-0708.google.com[64.233.178.241]: 550 5.1.1 : Recipient address rejected: User unknown in virtual mailbox table; from=<> to= proto=ESMTP helo=
Feb 23 00:03:51 mail postfix/smtpd[38115]: NOQUEUE: reject: RCPT from py-out-1112.google.com[64.233.166.181]: 550 5.1.1 : Recipient address rejected: User unknown in virtual mailbox table; from=<> to= proto=ESMTP helo=

Log Spam (5 replies)

klaus — Mon, 18 Feb 2008 04:26:08 -0600

Any ideas on how to hide referer these days since most logs (Google analytics/Statscounter) are done using Javascript?!

I miss the good old days when we didn't depend on javascript and a simple fake HTTP HEADER injection would do the trick! (referer & host)

Also, is there anyone out there who have been sucessfuly spaming links on urchin.js? I am asking this because I have seen this week, for the fisrt time ever, the first log spam links on my statscounter acount!

Rent a botnet (no replies)

kaito834 — Tue, 02 Oct 2007 11:52:17 -0500

I want to know where a botnet is rent.
Could someone who knows a way to rent a botnet tell me the way?

How much is an email worth? (7 replies)

barbarianbob — Tue, 26 Jan 2010 03:26:13 -0600

How much would an average spammer pay for, say, 1000 unique emails? I'm curious because I heard at one time email grabbers were making several dollars a second.

Gmail marking legit emails as spam (13 replies)

ash — Tue, 11 Dec 2007 13:13:39 -0600

I run a legit website, A few months ago I could use php mail() function to send veritification emails to prevent spam but now GMAIL is marking my emails as SPAM.

What can I do to resolve this issue?
Did you blacklist us, if so why?
Is it because our server is from Germany?
Is there a work around?
How can I view their blacklist?

Anyhelp be great guys.

Second Life (1 reply)

klaus — Mon, 10 Dec 2007 09:08:41 -0600

With so many Second Life cheats, bots and hacks available lately, what's your view on SL Spamming? Any experiences to share?

Fast-Flux Service Networks (no replies)

ntp — Tue, 17 Jul 2007 14:52:35 -0500

Lance Spitzner just posted this as a "Know Your Enemy" series from the HoneyNet Project on Fast-Flux Service Networks, which are used for building resilient botnets that are useful for sending spam:

http://www.honeynet.org/papers/ff/fast-flux.html

When I first heard about the fast-flux concepts (about 3 years ago), I heard about it from a certain class of spammer/phisher as noted in this blog commentary:

http://ha.ckers.org/blog/20070215/types-of-phishers/

Perculiar service this is... (5 replies)

Anonymous User — Fri, 24 Oct 2008 12:18:20 -0500

https://spameater.com/try.php?r=0

Okay, this site looks very legit and it probably is.

But see what they ask you to submit: username & password of your pop3.

This service scans your mailbox for SPAM. I don't klnow what you think, but my security bells begin to ring when I see this page. Would be a good scam also, just ask them their login and your pretty much done.

Bots to automate features (3 replies)

digitalIllusionism — Wed, 11 Jul 2007 19:33:38 -0500

While this isn't really related to spamming, it's the same question someone interested in learning about spam would ask, so I thought it fit.

I want to write a bot that automates actions but I'm not sure where to begin. I know some basic PHP, like how to open web pages, spider/extract strings, and write output based on it. I'm not really advanced but it seems I might not need to be for a bot, if it can be done through refreshing and re-outputting each time. Is that how it's done? I actually don't know if I use Javascript or a server-side language for a bot, or even either. I'm running Windows XP. Is there just a program that runs for XP and makes HTTP requests in place of a browser?

Thanks.

good spam (5 replies)

id — Thu, 26 Apr 2012 10:39:35 -0500

some spam makes me laugh, keeps me from hunting down and strangling the other spammers.

-------------------
Hello my friend!

I am ready to kill myself and eat my dog, if medicine prices here (http://xxxxxxx.hk) are bad.

Look, the site and call me 1-800 if its wrong..

My dog and I are still alive :)
-------------------

Animated CAPTCHA (7 replies)

christ1an — Tue, 17 Apr 2007 05:07:29 -0500

Hi,

Is there anybody who has some experiences in assuring CAPTCHAS against automatic character recognizing? While searching for useful information on this I found out that most CAPTCHAS (I'd even say more than 80%) are automaticly solveable and those who are more difficult for programs tend to be difficult for human beings as well.

Now what I'm wondering is how secure animated CAPTCHAS actually are. Given what I as a newbie on this matter have read so far, I don't think it's much more difficult to solve those than it is to solve non-animated ones.

Have a look at this page please: http://www.animierte-captcha.de/
There you see some examples of animated CAPTCHAS. The site states that the images are secure because they never show the whole string but only one part, however I'd say that those strings underneath the animation are easy to determine[. ____Can't a program just take a shot of the image, wait about half a second, make another shot, put those two together and then go on working on them]

mailinator architect describes system (2 replies)

littlegreenguy — Thu, 05 Apr 2007 18:38:56 -0500

http://mailinator.blogspot.com/2007/01/architecture-of-mailinator.html

the whole of mailinator, the email service loved by users of www.bugmenot.com runs from one 2GHz 1GB ram computer, with all the emails stored in ram.

It's a pretty interesting article.

SPAM Never Ceases To Amaze Me (11 replies)

Awesome AnDrEw — Sat, 31 Mar 2007 23:33:56 -0500

I got an email (SPAM of course) that recommended I go to some randomly hosted free site because some random name had received some random item after some random event. I viewed the source remotely, stripped out unnecessary HTML, and got the following:

So I first deobfuscated the function to:

Modified it to:

I did this to prevent it from executing if it had indeed been some awful spyware program. Then I simply placed the second half of the script into a test document, and ran it to see:

All that work to simply relocate the website to a penis enlargement site. Seems like more hassle than it's worth.

Microsoft Web Exchange (3 replies)

beaule — Sat, 31 Mar 2007 03:47:45 -0500

Maybe somebody heard about this issue...
when i'm browsing my company's Microsoft WebExchange i see this link

http://www.myCompany.com/exchweb/bin/redir.asp?URL=http://www.site.com
Nice phishing issue, isn't it?

1) search web exchange for company X in using google
2) search email adresses available for this company in using google (or browsing their website)
3) send to this adress a phishing mail... something like
****
Hello,
please follow this link to access the new
logon web mail interface
http://www.myCompany.com/exchweb/bin/redir.asp?URL=http://www.hack.com/logon.do

Your mail administrator
*****
And retrieve logon for users (probably the same as network access logon, VOIP,...)

Spam en el puto movil (2 replies)

usuario softonic — Fri, 09 Mar 2007 15:22:50 -0600

Os ha llegado a vosotros tambien? ultimamente no para de llegar Spam en el movil, pero ya los tengo trincados quienes son

Popular WordPress Plugin "Digg This" Security Vulnerabilities Found (2 replies)

kdawg — Tue, 23 Jan 2007 11:07:16 -0600

Rather than retyping it all, I'll link to my Digg article I wrote on it.
http://www.digg.com/security/Popular_WordPress_Plugin_Digg_This_Blog_Security_Vulnerabilities_Found

The upgrade/patched version is here: http://www.harrymaugans.com/digg-that/

Bulk Emailing Advice (12 replies)

Bite*Me! — Tue, 17 Jul 2007 03:41:08 -0500

I'm hoping that someone here can help me. A person I know is starting a business and needs to do bulk emailing. They don't know any of the new bulk emailing software. They used to use Power Email Harvester, Email Validator and the Dynamic Software-but that was still years ago. .But can someone tell me what the best new software out there is to use is (that they can get a Key or crack for). Also, since they want to remain annonymous , sothey're not sure what the best approach to actually email the info is……a internet café would take care of the Ip, but they want to know if there are any servers that you suggest-anything will help. Also they're not that great with this stuff so , Kid=language will help. If anyone can email me or post any info (I will pass the info along), They would appreciate it-the person I know wants to get it out asap.

Thanks :)

Spam via fax?!?! (5 replies)

WhiteAcid — Tue, 31 Jul 2007 21:29:05 -0500

I went to my mums work place today to drop something off. I couldn't help notice a piece of paper sitting in the fax machine. I just had to ask if I could keep the paper as I thought it was hilarious.

You may be wondering what type of place my mum works at. It's not IT related in the least, I highly doubt they even have a website, nor is it a private company. Surely not the target audience of this spam.

Edit: Searching for that phone number comes up with http://traintaxi.nationalrail.co.uk/?crs=WAC which shows it to belong to Benco cabs.

an idea what about it? (12 replies)

jungsonn — Mon, 09 Apr 2007 04:55:49 -0500

spam sucks, more spam sucks even more.
i've seen a weird trend lately that my personal email adress is on phishingschemes, paypal pyramids, newsgroup free i-pod garbage etc, dunno why but that sucks. I don't get alot of spam btw, think 99% is filtered, still i have an idea, dunno if it's allready outhere.

When making an email someplace, i think if there is a website between the 2 parties that authenticate users to contact you via a onetime pincode, if they have given the pin, the users gets a signiature which then authenticates againt the emaillist and my email account, so no one is allowed to email me unless they got a pin from the special made website who hadles these issues. It's a onetimer only, so not much trouble to do it. After that one can email me forever, unless i go again to that site and block hem or her, then that users will need a new pin but does not get it, cause he or she is blocked.

makes sense? :))

Email dated to the future (3 replies)

Ambush Commander — Sat, 04 Nov 2006 19:57:01 -0600

Lately, I've been receiving a lot of spam that is coming from the future. It's currently November: I'm seeing emails all the way from December. This is obviously a ploy to get the email to bubble up to the top of the inbox, but it's quite annoying, because I've actually had this happen for legit emails too. Any comments?

Anti-Spam heuristics (2 replies)

rsnake — Tue, 10 Apr 2007 00:57:30 -0500

A few years back I went to an email conference where I heard a number of anti-virus and anti-spam technical folks talking on a panel about some of their tactics and where the trends were going. It was a bit of a yawn-fest, but one comment got me thinking. They basically said that one of the variables they use for detection is so easy to fix they couldn't tell anyone, but it has to do with the fingerprint they leave on the system they are sending email to.

I happen to know a bit about spam, as one of the email accounts I have is so old, and so well distributed on the net, that I've nearly crushed the email servers that host my mail in spam. In fact, we get so much spam that one of the anti-spam companies uses it as heuristics to tune their own spam engines. Amazing! And even after that I still have my own anti-spam filters, AND I still get spam. It's crushing.

But I wonder what that fingerprint is. It could be something as simple as sending something in lowercase when all other MTUs send it in uppercase, or adding an extra line feed or anything small. Anyone have any ideas? It might give us a clue as to what to search for in terms of other applications.